OpenWrt: add initial support

[aparcar]

This commit is a follow up on a previous PR #6268. While multiple architectures are supported, initially only amd64 is added for testing.

Checklist for Review

NOTE: This checklist is intended for the use of the Official Images maintainers both to track the status of your PR and to help inform you and others of where we're at. As such, please leave the "checking" of items to the repository maintainers. If there is a point below for which you would like to provide additional information or note completion, please do so by commenting on the PR. Thanks! (and thanks for staying patient with us :heart:)

• [x] associated with or contacted upstream?
  • https://github.com/openwrt
• [x] does it fit into one of the common categories? ("service", "language stack", "base distribution")
• [x] is it reasonably popular, or does it solve a particular use case well?
• [ ] does a documentation PR exist? (should be reviewed and merged at roughly the same time so that we don't have an empty image page on the Hub for very long)
• [ ] official-images maintainer dockerization review for best practices and cache gotchas/improvements (ala the official review guidelines)?
• [ ] 2+ official-images maintainer dockerization review?
• [x] ~~existing official images have been considered as a base? (ie, if foobar needs Node.js, has FROM node:... instead of grabbing node via other means been considered?)~~
• [x] if FROM scratch, tarballs only exist in a single commit within the associated history?
• [x] passes current tests? any simple new tests that might be appropriate to add? (https://github.com/docker-library/official-images/tree/master/test)

[tianon]

Just FYI, that test failure is CVE-2019-5021, so probably worth fixing elsewhere if it's not isolated to the way this image is built. :grimacing:

[tianon]

There also appear to be a lot of files under /lib/modules that are probably ripe for image size reduction. :smile:

[aparcar]

Thanks @tianon for the quick response! Regarding the CVE, as most routers don't offer anything but network access after the first installation we can't setup a password. However I changed that for Docker.

How can I remove the modules? I remember running a command like rm on the wrong architecture would cause failures, are all imags created natively?

[github-actions[bot]]

Diff for 0569fec46c91a1bde08003a25732ca3279ea9641:

failed fetching repo "openwrt"
unable to find a manifest named "openwrt" (in "/tmp/tmp.xdgBdBNiHW/oi/library" or as a remote URL)
diff --git a/_bashbrew-arches b/_bashbrew-arches
index e69de29..a0d9bb7 100644
--- a/_bashbrew-arches
+++ b/_bashbrew-arches
@@ -0,0 +1 @@
+openwrt:snapshot @ amd64
diff --git a/_bashbrew-list b/_bashbrew-list
index e69de29..e871304 100644
--- a/_bashbrew-list
+++ b/_bashbrew-list
@@ -0,0 +1,2 @@
+openwrt:latest
+openwrt:snapshot
diff --git a/_bashbrew.err b/_bashbrew.err
index 7e3f1e5..e69de29 100644
--- a/_bashbrew.err
+++ b/_bashbrew.err
@@ -1,6 +0,0 @@
-failed fetching repo "openwrt"
-unable to find a manifest named "openwrt" (in "/tmp/tmp.xdgBdBNiHW/oi/library" or as a remote URL)
-failed fetching repo "openwrt"
-unable to find a manifest named "openwrt" (in "/tmp/tmp.xdgBdBNiHW/oi/library" or as a remote URL)
-failed fetching repo "openwrt"
-unable to find a manifest named "openwrt" (in "/tmp/tmp.xdgBdBNiHW/oi/library" or as a remote URL)
diff --git a/openwrt_snapshot/Dockerfile b/openwrt_snapshot/Dockerfile
new file mode 100644
index 0000000..5b2a586
--- /dev/null
+++ b/openwrt_snapshot/Dockerfile
@@ -0,0 +1,5 @@
+FROM scratch
+ADD openwrt-x86-64-rootfs.tar.gz /
+ADD inittab /etc/
+ADD shadow /etc/
+CMD ["/sbin/init"]
diff --git a/openwrt_snapshot/inittab b/openwrt_snapshot/inittab
new file mode 100644
index 0000000..69d250d
--- /dev/null
+++ b/openwrt_snapshot/inittab
@@ -0,0 +1,7 @@
+::sysinit:/etc/init.d/rcS S boot
+::shutdown:/etc/init.d/rcS K shutdown
+ttyS0::askfirst:/usr/libexec/login.sh
+hvc0::askfirst:/usr/libexec/login.sh
+tty1::askfirst:/usr/libexec/login.sh
+console::askfirst:/usr/libexec/login.sh
+
diff --git a/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz b/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz
new file mode 100644
index 0000000..7227cb8
Binary files /dev/null and b/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz differ
diff --git a/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz  'tar -t' b/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz  'tar -t'
new file mode 100644
index 0000000..9d94a8c
--- /dev/null
+++ b/openwrt_snapshot/openwrt-x86-64-rootfs.tar.gz  'tar -t'	
@@ -0,0 +1,826 @@
+
+bin/
+bin/ash
+bin/board_detect
+bin/busybox
+bin/cat
+bin/chgrp
+bin/chmod
+bin/chown
+bin/config_generate
+bin/cp
+bin/date
+bin/dd
+bin/df
+bin/dmesg
+bin/echo
+bin/egrep
+bin/false
+bin/fgrep
+bin/fsync
+bin/grep
+bin/gunzip
+bin/gzip
+bin/ipcalc.sh
+bin/kill
+bin/ln
+bin/lock
+bin/login
+bin/ls
+bin/mkdir
+bin/mknod
+bin/mktemp
+bin/mount
+bin/mv
+bin/netmsg
+bin/netstat
+bin/nice
+bin/opkg
+bin/passwd
+bin/pidof
+bin/ping
+bin/ping6
+bin/ps
+bin/pwd
+bin/rm
+bin/rmdir
+bin/sed
+bin/sh
+bin/sleep
+bin/sync
+bin/tar
+bin/touch
+bin/traceroute
+bin/traceroute6
+bin/true
+bin/ubus
+bin/uclient-fetch
+bin/umount
+bin/uname
+bin/vi
+bin/zcat
+dev/
+etc/
+etc/TZ
+etc/banner
+etc/banner.failsafe
+etc/board.d/
+etc/board.d/01_leds
+etc/board.d/02_network
+etc/board.d/99-default_network
+etc/config/
+etc/config/dhcp
+etc/config/dropbear
+etc/config/firewall
+etc/crontabs/
+etc/device_info
+etc/diag.sh
+etc/dnsmasq.conf
+etc/dropbear/
+etc/dropbear/dropbear_rsa_host_key
+etc/e2fsck.conf
+etc/ethers
+etc/firewall.user
+etc/fstab
+etc/group
+etc/hosts
+etc/hotplug-preinit.json
+etc/hotplug.d/
+etc/hotplug.d/dhcp/
+etc/hotplug.d/iface/
+etc/hotplug.d/iface/00-netstate
+etc/hotplug.d/iface/20-firewall
+etc/hotplug.d/neigh/
+etc/hotplug.d/net/
+etc/hotplug.d/net/00-sysctl
+etc/hotplug.d/net/20-smp-packet-steering
+etc/hotplug.d/ntp/
+etc/hotplug.d/ntp/25-dnsmasqsec
+etc/hotplug.d/tftp/
+etc/hotplug.json
+etc/init.d/
+etc/init.d/boot
+etc/init.d/cron
+etc/init.d/dnsmasq
+etc/init.d/done
+etc/init.d/dropbear
+etc/init.d/firewall
+etc/init.d/gpio_switch
+etc/init.d/led
+etc/init.d/log
+etc/init.d/network
+etc/init.d/odhcpd
+etc/init.d/sysctl
+etc/init.d/sysfixtime
+etc/init.d/sysntpd
+etc/init.d/system
+etc/init.d/umount
+etc/init.d/urandom_seed
+etc/init.d/urngd
+etc/inittab
+etc/iproute2/
+etc/iproute2/ematch_map
+etc/iproute2/rt_protos
+etc/iproute2/rt_tables
+etc/localtime
+etc/modules-boot.d/
+etc/modules-boot.d/30-button-hotplug
+etc/modules.d/
+etc/modules.d/25-nls-cp437
+etc/modules.d/25-nls-iso8859-1
+etc/modules.d/25-nls-utf8
+etc/modules.d/30-button-hotplug
+etc/modules.d/30-fs-vfat
+etc/modules.d/42-ip6tables
+etc/modules.d/ipt-conntrack
+etc/modules.d/ipt-core
+etc/modules.d/ipt-nat
+etc/modules.d/ipt-offload
+etc/modules.d/lib-crc-ccitt
+etc/modules.d/nf-conntrack
+etc/modules.d/nf-flow
+etc/modules.d/nf-ipt
+etc/modules.d/nf-ipt6
+etc/modules.d/nf-nat
+etc/modules.d/nf-reject
+etc/modules.d/nf-reject6
+etc/modules.d/ppp
+etc/modules.d/pppoe
+etc/mtab
+etc/openwrt_release
+etc/openwrt_version
+etc/opkg.conf
+etc/opkg/
+etc/opkg/customfeeds.conf
+etc/opkg/distfeeds.conf
+etc/opkg/keys/
+etc/opkg/keys/0b26f36ae0f4106d
+etc/opkg/keys/1035ac73cc4e59e3
+etc/opkg/keys/5151f69420c3f508
+etc/opkg/keys/72a57f2191b211e0
+etc/opkg/keys/792d9d9b39f180dc
+etc/opkg/keys/9ef4694208102c43
+etc/opkg/keys/b2d571e0880ff617
+etc/opkg/keys/b5043e70f9a75cde
+etc/opkg/keys/c10b9afab19ee428
+etc/opkg/keys/dace9d4df16896bf
+etc/opkg/keys/dd6de0d06bbd3d85
+etc/opkg/keys/f94b9dd6febac963
+etc/os-release
+etc/passwd
+etc/ppp/
+etc/ppp/chap-secrets
+etc/ppp/filter
+etc/ppp/options
+etc/ppp/resolv.conf
+etc/preinit
+etc/profile
+etc/protocols
+etc/rc.button/
+etc/rc.button/failsafe
+etc/rc.button/power
+etc/rc.button/reboot
+etc/rc.button/reset
+etc/rc.button/rfkill
+etc/rc.common
+etc/rc.d/
+etc/rc.d/K10gpio_switch
+etc/rc.d/K50dropbear
+etc/rc.d/K85odhcpd
+etc/rc.d/K89log
+etc/rc.d/K90boot
+etc/rc.d/K90network
+etc/rc.d/K90sysfixtime
+etc/rc.d/K90umount
+etc/rc.d/S00sysfixtime
+etc/rc.d/S00urngd
+etc/rc.d/S10boot
+etc/rc.d/S10system
+etc/rc.d/S11sysctl
+etc/rc.d/S12log
+etc/rc.d/S19dnsmasq
+etc/rc.d/S19dropbear
+etc/rc.d/S19firewall
+etc/rc.d/S20network
+etc/rc.d/S35odhcpd
+etc/rc.d/S50cron
+etc/rc.d/S94gpio_switch
+etc/rc.d/S95done
+etc/rc.d/S96led
+etc/rc.d/S98sysntpd
+etc/rc.d/S99urandom_seed
+etc/rc.local
+etc/resolv.conf
+etc/services
+etc/shadow
+etc/shells
+etc/shinit
+etc/sysctl.conf
+etc/sysctl.d/
+etc/sysctl.d/10-default.conf
+etc/sysctl.d/11-nf-conntrack.conf
+etc/sysupgrade.conf
+etc/uci-defaults/
+etc/uci-defaults/10_migrate-shadow
+etc/uci-defaults/12_network-generate-ula
+etc/uci-defaults/13_fix-group-user
+etc/uci-defaults/14_migrate-dhcp-release
+etc/uci-defaults/20_migrate-feeds
+etc/uci-defaults/50-dnsmasq-migrate-resolv-conf-auto.sh
+etc/uci-defaults/odhcpd.defaults
+lib/
+lib/config/
+lib/config/uci.sh
+lib/firmware/
+lib/functions.sh
+lib/functions/
+lib/functions/caldata.sh
+lib/functions/fsck/
+lib/functions/fsck/e2fsck.sh
+lib/functions/leds.sh
+lib/functions/migrations.sh
+lib/functions/network.sh
+lib/functions/preinit.sh
+lib/functions/procd.sh
+lib/functions/service.sh
+lib/functions/system.sh
+lib/functions/uci-defaults.sh
+lib/ld-musl-x86_64.so.1
+lib/libblobmsg_json.so
+lib/libc.so
+lib/libfstools.so
+lib/libgcc_s.so.1
+lib/libjson_script.so
+lib/libsetlbf.so
+lib/libubox.so
+lib/libubus.so
+lib/libuci.so
+lib/libvalidate.so
+lib/modules/
+lib/modules/5.4.39/
+lib/modules/5.4.39/button-hotplug.ko
+lib/modules/5.4.39/crc-ccitt.ko
+lib/modules/5.4.39/fat.ko
+lib/modules/5.4.39/ip6_tables.ko
+lib/modules/5.4.39/ip6t_REJECT.ko
+lib/modules/5.4.39/ip6table_filter.ko
+lib/modules/5.4.39/ip6table_mangle.ko
+lib/modules/5.4.39/ip_tables.ko
+lib/modules/5.4.39/ipt_REJECT.ko
+lib/modules/5.4.39/iptable_filter.ko
+lib/modules/5.4.39/iptable_mangle.ko
+lib/modules/5.4.39/iptable_nat.ko
+lib/modules/5.4.39/nf_conntrack.ko
+lib/modules/5.4.39/nf_conntrack_rtcache.ko
+lib/modules/5.4.39/nf_defrag_ipv4.ko
+lib/modules/5.4.39/nf_defrag_ipv6.ko
+lib/modules/5.4.39/nf_flow_table.ko
+lib/modules/5.4.39/nf_flow_table_hw.ko
+lib/modules/5.4.39/nf_log_common.ko
+lib/modules/5.4.39/nf_log_ipv4.ko
+lib/modules/5.4.39/nf_log_ipv6.ko
+lib/modules/5.4.39/nf_nat.ko
+lib/modules/5.4.39/nf_reject_ipv4.ko
+lib/modules/5.4.39/nf_reject_ipv6.ko
+lib/modules/5.4.39/nls_cp437.ko
+lib/modules/5.4.39/nls_iso8859-1.ko
+lib/modules/5.4.39/nls_utf8.ko
+lib/modules/5.4.39/ppp_async.ko
+lib/modules/5.4.39/ppp_generic.ko
+lib/modules/5.4.39/pppoe.ko
+lib/modules/5.4.39/pppox.ko
+lib/modules/5.4.39/slhc.ko
+lib/modules/5.4.39/vfat.ko
+lib/modules/5.4.39/x_tables.ko
+lib/modules/5.4.39/xt_CT.ko
+lib/modules/5.4.39/xt_FLOWOFFLOAD.ko
+lib/modules/5.4.39/xt_LOG.ko
+lib/modules/5.4.39/xt_MASQUERADE.ko
+lib/modules/5.4.39/xt_REDIRECT.ko
+lib/modules/5.4.39/xt_TCPMSS.ko
+lib/modules/5.4.39/xt_comment.ko
+lib/modules/5.4.39/xt_conntrack.ko
+lib/modules/5.4.39/xt_limit.ko
+lib/modules/5.4.39/xt_mac.ko
+lib/modules/5.4.39/xt_mark.ko
+lib/modules/5.4.39/xt_multiport.ko
+lib/modules/5.4.39/xt_nat.ko
+lib/modules/5.4.39/xt_state.ko
+lib/modules/5.4.39/xt_tcpudp.ko
+lib/modules/5.4.39/xt_time.ko
+lib/netifd/
+lib/netifd/dhcp.script
+lib/netifd/dhcpv6.script
+lib/netifd/netifd-proto.sh
+lib/netifd/netifd-wireless.sh
+lib/netifd/ppp-down
+lib/netifd/ppp-up
+lib/netifd/ppp6-up
+lib/netifd/proto/
+lib/netifd/proto/dhcp.sh
+lib/netifd/proto/dhcpv6.sh
+lib/netifd/proto/ppp.sh
+lib/netifd/utils.sh
+lib/network/
+lib/network/config.sh
+lib/preinit/
+lib/preinit/00_preinit.conf
+lib/preinit/01_sysinfo
+lib/preinit/02_default_set_state
+lib/preinit/02_load_x86_ucode
+lib/preinit/02_sysinfo
+lib/preinit/10_indicate_failsafe
+lib/preinit/10_indicate_preinit
+lib/preinit/15_essential_fs_x86
+lib/preinit/20_check_iso
+lib/preinit/30_failsafe_wait
+lib/preinit/40_run_failsafe_hook
+lib/preinit/45_mount_xenfs
+lib/preinit/50_indicate_regular_preinit
+lib/preinit/70_initramfs_test
+lib/preinit/79_move_config
+lib/preinit/80_mount_root
+lib/preinit/81_upgrade_bootloader
+lib/preinit/81_urandom_seed
+lib/preinit/99_10_failsafe_dropbear
+lib/preinit/99_10_failsafe_login
+lib/preinit/99_10_run_init
+lib/upgrade/
+lib/upgrade/common.sh
+lib/upgrade/do_stage2
+lib/upgrade/fwtool.sh
+lib/upgrade/keep.d/
+lib/upgrade/keep.d/base-files
+lib/upgrade/keep.d/base-files-essential
+lib/upgrade/keep.d/opkg
+lib/upgrade/keep.d/ppp
+lib/upgrade/platform.sh
+lib/upgrade/stage2
+lib64
+mnt/
+overlay/
+proc/
+rom/
+rom/note
+root/
+sbin/
+sbin/askfirst
+sbin/devstatus
+sbin/firstboot
+sbin/fw3
+sbin/halt
+sbin/hotplug-call
+sbin/hwclock
+sbin/ifconfig
+sbin/ifdown
+sbin/ifstatus
+sbin/ifup
+sbin/init
+sbin/insmod
+sbin/ip
+sbin/jffs2mark
+sbin/jffs2reset
+sbin/kmodloader
+sbin/led.sh
+sbin/logd
+sbin/logread
+sbin/lsmod
+sbin/mkswap
+sbin/modinfo
+sbin/modprobe
+sbin/mount_root
+sbin/mtd
+sbin/netifd
+sbin/pivot_root
+sbin/poweroff
+sbin/procd
+sbin/reboot
+sbin/reload_config
+sbin/rmmod
+sbin/route
+sbin/start-stop-daemon
+sbin/swapoff
+sbin/swapon
+sbin/switch_root
+sbin/sysctl
+sbin/sysupgrade
+sbin/ubusd
+sbin/uci
+sbin/udevtrigger
+sbin/udhcpc
+sbin/upgraded
+sbin/urandom_seed
+sbin/urngd
+sbin/validate_data
+sbin/wifi
+sys/
+tmp/
+usr/
+usr/bin/
+usr/bin/[
+usr/bin/[[
+usr/bin/awk
+usr/bin/basename
+usr/bin/bunzip2
+usr/bin/bzcat
+usr/bin/clear
+usr/bin/cmp
+usr/bin/crontab
+usr/bin/cut
+usr/bin/dbclient
+usr/bin/dirname
+usr/bin/dropbearkey
+usr/bin/du
+usr/bin/env
+usr/bin/expr
+usr/bin/find
+usr/bin/flock
+usr/bin/free
+usr/bin/fwtool
+usr/bin/getrandom
+usr/bin/head
+usr/bin/hexdump
+usr/bin/id
+usr/bin/jshn
+usr/bin/jsonfilter
+usr/bin/killall
+usr/bin/ldd
+usr/bin/less
+usr/bin/logger
+usr/bin/md5sum
+usr/bin/mkfifo
+usr/bin/nc
+usr/bin/nslookup
+usr/bin/pgrep
+usr/bin/printf
+usr/bin/readlink
+usr/bin/reset
+usr/bin/scp
+usr/bin/seq
+usr/bin/sha256sum
+usr/bin/signify
+usr/bin/sort
+usr/bin/ssh
+usr/bin/strings
+usr/bin/tail
+usr/bin/tee
+usr/bin/test
+usr/bin/time
+usr/bin/top
+usr/bin/tr
+usr/bin/uniq
+usr/bin/uptime
+usr/bin/usign
+usr/bin/wc
+usr/bin/wget
+usr/bin/which
+usr/bin/xargs
+usr/bin/yes
+usr/lib/
+usr/lib/dnsmasq/
+usr/lib/dnsmasq/dhcp-script.sh
+usr/lib/iptables/
+usr/lib/libblkid.so.1
+usr/lib/libblkid.so.1.1.0
+usr/lib/libcom_err.so.0
+usr/lib/libcom_err.so.0.0
+usr/lib/libe2p.so.2
+usr/lib/libe2p.so.2.3
+usr/lib/libext2fs.so.2
+usr/lib/libext2fs.so.2.4
+usr/lib/libf2fs.so.7
+usr/lib/libf2fs.so.7.0.0
+usr/lib/libip4tc.so.2
+usr/lib/libip4tc.so.2.0.0
+usr/lib/libip6tc.so.2
+usr/lib/libip6tc.so.2.0.0
+usr/lib/libiptext.so
+usr/lib/libiptext4.so
+usr/lib/libiptext6.so
+usr/lib/libjson-c.so.4
+usr/lib/libjson-c.so.4.0.0
+usr/lib/libnl-tiny.so
+usr/lib/libsmartcols.so.1
+usr/lib/libsmartcols.so.1.1.0
+usr/lib/libss.so.2
+usr/lib/libss.so.2.0
+usr/lib/libuclient.so
+usr/lib/libuuid.so.1
+usr/lib/libuuid.so.1.3.0
+usr/lib/libxtables.so.12
+usr/lib/libxtables.so.12.2.0
+usr/lib/opkg/
+usr/lib/opkg/info/
+usr/lib/opkg/info/base-files.conffiles
+usr/lib/opkg/info/base-files.control
+usr/lib/opkg/info/base-files.list
+usr/lib/opkg/info/base-files.prerm
+usr/lib/opkg/info/busybox.control
+usr/lib/opkg/info/busybox.list
+usr/lib/opkg/info/busybox.prerm
+usr/lib/opkg/info/dnsmasq.conffiles
+usr/lib/opkg/info/dnsmasq.control
+usr/lib/opkg/info/dnsmasq.list
+usr/lib/opkg/info/dnsmasq.prerm
+usr/lib/opkg/info/dropbear.conffiles
+usr/lib/opkg/info/dropbear.control
+usr/lib/opkg/info/dropbear.list
+usr/lib/opkg/info/dropbear.prerm
+usr/lib/opkg/info/e2fsprogs.conffiles
+usr/lib/opkg/info/e2fsprogs.control
+usr/lib/opkg/info/e2fsprogs.list
+usr/lib/opkg/info/e2fsprogs.prerm
+usr/lib/opkg/info/firewall.conffiles
+usr/lib/opkg/info/firewall.control
+usr/lib/opkg/info/firewall.list
+usr/lib/opkg/info/firewall.prerm
+usr/lib/opkg/info/fstools.control
+usr/lib/opkg/info/fstools.list
+usr/lib/opkg/info/fstools.prerm
+usr/lib/opkg/info/fwtool.control
+usr/lib/opkg/info/fwtool.list
+usr/lib/opkg/info/fwtool.prerm
+usr/lib/opkg/info/getrandom.control
+usr/lib/opkg/info/getrandom.list
+usr/lib/opkg/info/getrandom.prerm
+usr/lib/opkg/info/grub2-efi.control
+usr/lib/opkg/info/grub2-efi.list
+usr/lib/opkg/info/grub2-efi.prerm
+usr/lib/opkg/info/grub2.control
+usr/lib/opkg/info/grub2.list
+usr/lib/opkg/info/grub2.prerm
+usr/lib/opkg/info/ip6tables.control
+usr/lib/opkg/info/ip6tables.list
+usr/lib/opkg/info/ip6tables.prerm
+usr/lib/opkg/info/iptables.control
+usr/lib/opkg/info/iptables.list
+usr/lib/opkg/info/iptables.prerm
+usr/lib/opkg/info/jshn.control
+usr/lib/opkg/info/jshn.list
+usr/lib/opkg/info/jshn.prerm
+usr/lib/opkg/info/jsonfilter.control
+usr/lib/opkg/info/jsonfilter.list
+usr/lib/opkg/info/jsonfilter.prerm
+usr/lib/opkg/info/kernel.control
+usr/lib/opkg/info/kernel.list
+usr/lib/opkg/info/kernel.prerm
+usr/lib/opkg/info/kmod-button-hotplug.control
+usr/lib/opkg/info/kmod-button-hotplug.list
+usr/lib/opkg/info/kmod-button-hotplug.prerm
+usr/lib/opkg/info/kmod-fs-vfat.control
+usr/lib/opkg/info/kmod-fs-vfat.list
+usr/lib/opkg/info/kmod-fs-vfat.prerm
+usr/lib/opkg/info/kmod-input-core.control
+usr/lib/opkg/info/kmod-input-core.list
+usr/lib/opkg/info/kmod-input-core.prerm
+usr/lib/opkg/info/kmod-ip6tables.control
+usr/lib/opkg/info/kmod-ip6tables.list
+usr/lib/opkg/info/kmod-ip6tables.prerm
+usr/lib/opkg/info/kmod-ipt-conntrack.control
+usr/lib/opkg/info/kmod-ipt-conntrack.list
+usr/lib/opkg/info/kmod-ipt-conntrack.prerm
+usr/lib/opkg/info/kmod-ipt-core.control
+usr/lib/opkg/info/kmod-ipt-core.list
+usr/lib/opkg/info/kmod-ipt-core.prerm
+usr/lib/opkg/info/kmod-ipt-nat.control
+usr/lib/opkg/info/kmod-ipt-nat.list
+usr/lib/opkg/info/kmod-ipt-nat.prerm
+usr/lib/opkg/info/kmod-ipt-offload.control
+usr/lib/opkg/info/kmod-ipt-offload.list
+usr/lib/opkg/info/kmod-ipt-offload.prerm
+usr/lib/opkg/info/kmod-lib-crc-ccitt.control
+usr/lib/opkg/info/kmod-lib-crc-ccitt.list
+usr/lib/opkg/info/kmod-lib-crc-ccitt.prerm
+usr/lib/opkg/info/kmod-nf-conntrack.control
+usr/lib/opkg/info/kmod-nf-conntrack.list
+usr/lib/opkg/info/kmod-nf-conntrack.prerm
+usr/lib/opkg/info/kmod-nf-conntrack6.control
+usr/lib/opkg/info/kmod-nf-conntrack6.list
+usr/lib/opkg/info/kmod-nf-conntrack6.prerm
+usr/lib/opkg/info/kmod-nf-flow.control
+usr/lib/opkg/info/kmod-nf-flow.list
+usr/lib/opkg/info/kmod-nf-flow.prerm
+usr/lib/opkg/info/kmod-nf-ipt.control
+usr/lib/opkg/info/kmod-nf-ipt.list
+usr/lib/opkg/info/kmod-nf-ipt.prerm
+usr/lib/opkg/info/kmod-nf-ipt6.control
+usr/lib/opkg/info/kmod-nf-ipt6.list
+usr/lib/opkg/info/kmod-nf-ipt6.prerm
+usr/lib/opkg/info/kmod-nf-nat.control
+usr/lib/opkg/info/kmod-nf-nat.list
+usr/lib/opkg/info/kmod-nf-nat.prerm
+usr/lib/opkg/info/kmod-nf-reject.control
+usr/lib/opkg/info/kmod-nf-reject.list
+usr/lib/opkg/info/kmod-nf-reject.prerm
+usr/lib/opkg/info/kmod-nf-reject6.control
+usr/lib/opkg/info/kmod-nf-reject6.list
+usr/lib/opkg/info/kmod-nf-reject6.prerm
+usr/lib/opkg/info/kmod-nls-base.control
+usr/lib/opkg/info/kmod-nls-base.list
+usr/lib/opkg/info/kmod-nls-base.prerm
+usr/lib/opkg/info/kmod-nls-cp437.control
+usr/lib/opkg/info/kmod-nls-cp437.list
+usr/lib/opkg/info/kmod-nls-cp437.prerm
+usr/lib/opkg/info/kmod-nls-iso8859-1.control
+usr/lib/opkg/info/kmod-nls-iso8859-1.list
+usr/lib/opkg/info/kmod-nls-iso8859-1.prerm
+usr/lib/opkg/info/kmod-nls-utf8.control
+usr/lib/opkg/info/kmod-nls-utf8.list
+usr/lib/opkg/info/kmod-nls-utf8.prerm
+usr/lib/opkg/info/kmod-ppp.control
+usr/lib/opkg/info/kmod-ppp.list
+usr/lib/opkg/info/kmod-ppp.prerm
+usr/lib/opkg/info/kmod-pppoe.control
+usr/lib/opkg/info/kmod-pppoe.list
+usr/lib/opkg/info/kmod-pppoe.prerm
+usr/lib/opkg/info/kmod-pppox.control
+usr/lib/opkg/info/kmod-pppox.list
+usr/lib/opkg/info/kmod-pppox.prerm
+usr/lib/opkg/info/kmod-slhc.control
+usr/lib/opkg/info/kmod-slhc.list
+usr/lib/opkg/info/kmod-slhc.prerm
+usr/lib/opkg/info/libblkid1.control
+usr/lib/opkg/info/libblkid1.list
+usr/lib/opkg/info/libblkid1.prerm
+usr/lib/opkg/info/libblobmsg-json.control
+usr/lib/opkg/info/libblobmsg-json.list
+usr/lib/opkg/info/libblobmsg-json.prerm
+usr/lib/opkg/info/libc.control
+usr/lib/opkg/info/libc.list
+usr/lib/opkg/info/libc.prerm
+usr/lib/opkg/info/libcomerr0.control
+usr/lib/opkg/info/libcomerr0.list
+usr/lib/opkg/info/libcomerr0.prerm
+usr/lib/opkg/info/libext2fs2.control
+usr/lib/opkg/info/libext2fs2.list
+usr/lib/opkg/info/libext2fs2.prerm
+usr/lib/opkg/info/libf2fs6.control
+usr/lib/opkg/info/libf2fs6.list
+usr/lib/opkg/info/libf2fs6.prerm
+usr/lib/opkg/info/libgcc1.control
+usr/lib/opkg/info/libgcc1.list
+usr/lib/opkg/info/libgcc1.prerm
+usr/lib/opkg/info/libip4tc2.control
+usr/lib/opkg/info/libip4tc2.list
+usr/lib/opkg/info/libip4tc2.prerm
+usr/lib/opkg/info/libip6tc2.control
+usr/lib/opkg/info/libip6tc2.list
+usr/lib/opkg/info/libip6tc2.prerm
+usr/lib/opkg/info/libjson-c4.control
+usr/lib/opkg/info/libjson-c4.list
+usr/lib/opkg/info/libjson-c4.prerm
+usr/lib/opkg/info/libjson-script.control
+usr/lib/opkg/info/libjson-script.list
+usr/lib/opkg/info/libjson-script.prerm
+usr/lib/opkg/info/libnl-tiny.control
+usr/lib/opkg/info/libnl-tiny.list
+usr/lib/opkg/info/libnl-tiny.prerm
+usr/lib/opkg/info/libpthread.control
+usr/lib/opkg/info/libpthread.list
+usr/lib/opkg/info/libpthread.prerm
+usr/lib/opkg/info/librt.control
+usr/lib/opkg/info/librt.list
+usr/lib/opkg/info/librt.prerm
+usr/lib/opkg/info/libsmartcols1.control
+usr/lib/opkg/info/libsmartcols1.list
+usr/lib/opkg/info/libsmartcols1.prerm
+usr/lib/opkg/info/libss2.control
+usr/lib/opkg/info/libss2.list
+usr/lib/opkg/info/libss2.prerm
+usr/lib/opkg/info/libubox20191228.control
+usr/lib/opkg/info/libubox20191228.list
+usr/lib/opkg/info/libubox20191228.prerm
+usr/lib/opkg/info/libubus20191227.control
+usr/lib/opkg/info/libubus20191227.list
+usr/lib/opkg/info/libubus20191227.prerm
+usr/lib/opkg/info/libuci20130104.control
+usr/lib/opkg/info/libuci20130104.list
+usr/lib/opkg/info/libuci20130104.prerm
+usr/lib/opkg/info/libuclient20160123.control
+usr/lib/opkg/info/libuclient20160123.list
+usr/lib/opkg/info/libuclient20160123.prerm
+usr/lib/opkg/info/libuuid1.control
+usr/lib/opkg/info/libuuid1.list
+usr/lib/opkg/info/libuuid1.prerm
+usr/lib/opkg/info/libxtables12.control
+usr/lib/opkg/info/libxtables12.list
+usr/lib/opkg/info/libxtables12.prerm
+usr/lib/opkg/info/logd.control
+usr/lib/opkg/info/logd.list
+usr/lib/opkg/info/logd.prerm
+usr/lib/opkg/info/mkf2fs.control
+usr/lib/opkg/info/mkf2fs.list
+usr/lib/opkg/info/mkf2fs.prerm
+usr/lib/opkg/info/mtd.control
+usr/lib/opkg/info/mtd.list
+usr/lib/opkg/info/mtd.prerm
+usr/lib/opkg/info/netifd.control
+usr/lib/opkg/info/netifd.list
+usr/lib/opkg/info/netifd.prerm
+usr/lib/opkg/info/odhcp6c.control
+usr/lib/opkg/info/odhcp6c.list
+usr/lib/opkg/info/odhcp6c.prerm
+usr/lib/opkg/info/odhcpd-ipv6only.control
+usr/lib/opkg/info/odhcpd-ipv6only.list
+usr/lib/opkg/info/odhcpd-ipv6only.prerm
+usr/lib/opkg/info/openwrt-keyring.control
+usr/lib/opkg/info/openwrt-keyring.list
+usr/lib/opkg/info/openwrt-keyring.prerm
+usr/lib/opkg/info/opkg.conffiles
+usr/lib/opkg/info/opkg.control
+usr/lib/opkg/info/opkg.list
+usr/lib/opkg/info/opkg.prerm
+usr/lib/opkg/info/partx-utils.control
+usr/lib/opkg/info/partx-utils.list
+usr/lib/opkg/info/partx-utils.prerm
+usr/lib/opkg/info/ppp-mod-pppoe.control
+usr/lib/opkg/info/ppp-mod-pppoe.list
+usr/lib/opkg/info/ppp-mod-pppoe.prerm
+usr/lib/opkg/info/ppp.conffiles
+usr/lib/opkg/info/ppp.control
+usr/lib/opkg/info/ppp.list
+usr/lib/opkg/info/ppp.prerm
+usr/lib/opkg/info/procd.control
+usr/lib/opkg/info/procd.list
+usr/lib/opkg/info/procd.prerm
+usr/lib/opkg/info/ubox.control
+usr/lib/opkg/info/ubox.list
+usr/lib/opkg/info/ubox.prerm
+usr/lib/opkg/info/ubus.control
+usr/lib/opkg/info/ubus.list
+usr/lib/opkg/info/ubus.prerm
+usr/lib/opkg/info/ubusd.control
+usr/lib/opkg/info/ubusd.list
+usr/lib/opkg/info/ubusd.prerm
+usr/lib/opkg/info/uci.control
+usr/lib/opkg/info/uci.list
+usr/lib/opkg/info/uci.prerm
+usr/lib/opkg/info/uclient-fetch.control
+usr/lib/opkg/info/uclient-fetch.list
+usr/lib/opkg/info/uclient-fetch.prerm
+usr/lib/opkg/info/urandom-seed.control
+usr/lib/opkg/info/urandom-seed.list
+usr/lib/opkg/info/urandom-seed.prerm
+usr/lib/opkg/info/urngd.control
+usr/lib/opkg/info/urngd.list
+usr/lib/opkg/info/urngd.prerm
+usr/lib/opkg/info/usign.control
+usr/lib/opkg/info/usign.list
+usr/lib/opkg/info/usign.prerm
+usr/lib/opkg/lists/
+usr/lib/opkg/status
+usr/lib/os-release
+usr/lib/pppd/
+usr/lib/pppd/2.4.8/
+usr/lib/pppd/2.4.8/rp-pppoe.so
+usr/lib64
+usr/libexec/
+usr/libexec/login.sh
+usr/libexec/validate_firmware_image
+usr/sbin/
+usr/sbin/addpart
+usr/sbin/brctl
+usr/sbin/chroot
+usr/sbin/crond
+usr/sbin/delpart
+usr/sbin/dnsmasq
+usr/sbin/dropbear
+usr/sbin/e2fsck
+usr/sbin/fsck.ext2
+usr/sbin/fsck.ext3
+usr/sbin/fsck.ext4
+usr/sbin/grub-bios-setup
+usr/sbin/ip6tables
+usr/sbin/ip6tables-restore
+usr/sbin/ip6tables-save
+usr/sbin/iptables
+usr/sbin/iptables-restore
+usr/sbin/iptables-save
+usr/sbin/mke2fs
+usr/sbin/mkfs.ext2
+usr/sbin/mkfs.ext3
+usr/sbin/mkfs.ext4
+usr/sbin/mkfs.f2fs
+usr/sbin/ntpd
+usr/sbin/ntpd-hotplug
+usr/sbin/odhcp6c
+usr/sbin/odhcpd
+usr/sbin/odhcpd-update
+usr/sbin/opkg-key
+usr/sbin/partx
+usr/sbin/pppd
+usr/sbin/xtables-legacy-multi
+usr/share/
+usr/share/acl.d/
+usr/share/acl.d/dnsmasq_acl.json
+usr/share/dnsmasq/
+usr/share/dnsmasq/dhcpbogushostname.conf
+usr/share/dnsmasq/rfc6761.conf
+usr/share/fw3/
+usr/share/fw3/helpers.conf
+usr/share/libubox/
+usr/share/libubox/jshn.sh
+usr/share/udhcpc/
+usr/share/udhcpc/default.script
+var
+www/
diff --git a/openwrt_snapshot/shadow b/openwrt_snapshot/shadow
new file mode 100644
index 0000000..9bbdbf9
--- /dev/null
+++ b/openwrt_snapshot/shadow
@@ -0,0 +1,6 @@
+root:*:0:0:99999:7:::
+daemon:*:0:0:99999:7:::
+ftp:*:0:0:99999:7:::
+network:*:0:0:99999:7:::
+nobody:*:0:0:99999:7:::
+dnsmasq:x:0:0:99999:7:::

[aparcar]

if FROM scratch, tarballs only exist in a single commit within the associated history?

What kind of history is needed? No force pushes I guess?

[yosifkit]

if FROM scratch, tarballs only exist in a single commit within the associated history?

What kind of history is needed? No force pushes I guess?

Most likely it would be exclusively force pushes to the branches that have the tar files, so that the tarball is never a changed file in git history. For example, see the dist-* branches in https://github.com/debuerreotype/docker-debian-artifacts.

How can I remove the modules?

They would need to be removed before the tar file is committed to git. For example, this Dockerfile wouldn't save space in the resulting docker image (since previous docker layers already take space):

FROM scratch
ADD some-base.tar.gz /
RUN rm /lib/modules/*

I remember running a command like rm on the wrong architecture would cause failures, are all imags created natively?

Yes they are built on architecture appropriate hardware, no qemu.

[Amacorp]

Thank you, It was great!!!

[tianon]

I think instead of copying/maintaining a full copy of the tarball's /etc/inittab and /etc/shadow files (which then have the possibility of drifting from the distribution copy), I'd recommend using RUN to modify them, as in:

FROM scratch
ADD openwrt-x86-64-rootfs.tar.gz /
RUN set -eux; \
# make sure "/sbin/init" as a command will give us a shell when run interactively
	echo 'console::askfirst:/usr/libexec/login.sh' >> /etc/inittab; \
# adjust/remove empty "root" password to account for CVE-2019-5021
	passwd -l root
CMD ["ash", "--login"]

Also, I'm not sure it makes sense for the default command to be /sbin/init, since most users likely don't actually need init, which is why my suggestion above includes a switch to just ash --login, which is what /etc/inittab ends up running when /sbin/init is invoked and the user presses [enter] to activate the console.

Otherwise this rootfs tarball seems pretty good for a first pass -- size improvements like culling /lib/module from the generated rootfs can be incremental improvements later.

It might be a good idea to add a simple opkg test here (similar to https://github.com/docker-library/official-images/tree/8c95adca7690747a702dfaa43f0b0c20f14be79e/test/tests/debian-apt-get) to ensure that works / stays working over time, but that's up to your discretion.

Do you already have a PR for https://github.com/docker-library/docs in-progress? :smile:

[aparcar]

I'm happy to look into that and continue the work. My main issue right now with the docker images is that ctl c quits the running container and not only the running program within OpenWrt. Do you have an idea how this could be fixed?

[westurner]

Could the ENTRYPOINT be a shell script that traps SIGINT?

https://www.shellscript.sh/trap.html

Does anything else wneed to be done to solve for zombie PIDs and handles? This says docker uses tini when --init is specified; which should be documented if that's necessary: https://stackoverflow.com/questions/49162358/docker-init-zombies-why-does-it-matter

[aparcar]

The idea using ash --login is actually related. It instantly fires up a login shell and automatically traps SIGINT. To have OpenWrt usable it usually requires ubusd and some extra folders. I added a minimal run.sh script:

mkdir -p /var/run/
mkdir -p /var/lock/
ubusd &
ash --login

[tianon]

Sorry for the delay :pray:

I'm really confused here -- what values of "usable" are we talking about? For example, does opkg not work without ubusd running?

In my view, the most interesting thing about OpenWrt is that it's a very minimal distribution explicitly focused on size that also happens to have a decent collection of pre-built packages available for easy install / use (very similar to Alpine Linux, in many regards).

What specific things are not possible without ubusd running that would actually be interesting/useful/necessary to run in a container? From what I can tell, it's mostly for "system" services that don't actually make any sense for the container to run, so it's probably mostly fine to not have it running in the general case? (It certainly won't be running when users create their own images based off this one with FROM openwrt:xxx and use RUN opkg ..., for example.)

FWIW, the "container-native" way to handle this would be one container running ubusd and other containers sharing that via shared volume, shared networking, etc, but I realize that's likely a bit complicated to implement (and that ubusd was likely never designed with that usage mode in mind).

[westurner]

IIRC, in order to run ansible within the container (for testing OpenWRT configs in a container before deploying to a device running an OpenWRT firmware (all of which expect ubusd to be running)).

Newer builds of gpg-agent spawn their own GPG agent if necessary (IIRC, if the socket doesn't yet exist). Could ubusd be auto-spawned similarly? Or, at the very least, could the entrypoint.sh print how to start the container with ubusd running?

Supervisord and s6 work well in containers; though I agree that's not maximal containerisation.

On Wed, Nov 25, 2020, 6:13 PM Tianon Gravi [email protected] wrote:

Sorry for the delay 🙏

I'm really confused here -- what values of "usable" are we talking about? For example, does opkg not work without ubusd running?

In my view, the most interesting thing about OpenWrt is that it's a very minimal distribution explicitly focused on size that also happens to have a decent collection of pre-built packages available for easy install / use (very similar to Alpine Linux, in many regards).

What specific things are not possible without ubusd running that would actually be interesting/useful/necessary to run in a container? From what I can tell, it's mostly for "system" services that don't actually make any sense for the container to run, so it's probably mostly fine to not have it running in the general case? (It certainly won't be running when users create their own images based off this one with FROM openwrt:xxx and use RUN opkg ..., for example.)

FWIW, the "container-native" way to handle this would be one container running ubusd and other containers sharing that via shared volume, shared networking, etc, but I realize that's likely a bit complicated to implement (and that ubusd was likely never designed with that usage mode in mind).

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/docker-library/official-images/pull/7975#issuecomment-733986040, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS74QFBIUIMNWSZ65LDSRWFSPANCNFSM4M4M3HIQ .

[tianon]

Honestly that all seems like downstream concerns -- there are use cases for having a simple, unadorned, uncomplex openwrt image which provides just a basic OpenWrt rootfs ready to build more complex things on top of (such as a test environment for running Ansible scripts, etc but also just for users who want a simple, small image that includes a good package manager for downloading/packaging their own software).

So what I would recommend here is that you go with the smallest possible rootfs you can still call "OpenWrt" (likely a shell + appropriately configured opkg?), set the default command to a basic shell, and let further enhancement happen downstream so that the official base is something everyone interested in OpenWrt can use and expand off of without needing to worry about the details of how certain services need to run (unless they actually need those services, which they should discover pretty quickly).

Anything involving supervisord, s6, or even a process that backgrounds itself before starting whatever process was requested by the user will not be acceptable at this level (https://github.com/docker-library/official-images#review-guidelines).

To put this in a slightly different perspective, the Debian image doesn't include/default to running systemd (or sysvinit) and the Alpine image doesn't default to running openrc. The Debian image is the bare minimum that can still be called Debian (essential packages like bash + apt), and users who want to do crazy things like run systemd in a container can easily build on top of it and install systemd just as easily as users who want to do smaller things like just install nginx and run it directly.

[westurner]

So the instructions for running init and dropping into a shell on top of the image could be in the README.

On Mon, Dec 14, 2020, 7:22 PM Tianon Gravi [email protected] wrote:

Honestly that all seems like downstream concerns -- there are use cases for having a simple, unadorned, uncomplex openwrt image which provides just a basic OpenWrt rootfs ready to build more complex things on top of (such as a test environment for running Ansible scripts, etc but also just for users who want a simple, small image that includes a good package manager for downloading/packaging their own software).

So what I would recommend here is that you go with the smallest possible rootfs you can still call "OpenWrt" (likely a shell + appropriately configured opkg?), set the default command to a basic shell, and let further enhancement happen downstream so that the official base is something everyone interested in OpenWrt can use and expand off of without needing to worry about the details of how certain services need to run (unless they actually need those services, which they should discover pretty quickly).

Anything involving supervisord, s6, or even a process that backgrounds itself before starting whatever process was requested by the user will not be acceptable at this level ( https://github.com/docker-library/official-images#review-guidelines).

To put this in a slightly different perspective, the Debian image doesn't include/default to running systemd (or sysvinit) and the Alpine image doesn't default to running openrc. The Debian image is the bare minimum that can still be called Debian (essential packages like bash + apt), and users who want to do crazy things like run systemd in a container can easily build on top of it and install systemd just as easily as users who want to do smaller things like just install nginx and run it directly.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/docker-library/official-images/pull/7975#issuecomment-744874229, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAAMNS7PM7K25IYXNNMBDG3SU2T4LANCNFSM4M4M3HIQ .

[tianon]

I'm updating the status of this PR to "draft" for now. When it's ready for re-review, please remove the draft status and leave a comment (GitHub unfortunately does not notify maintainers for draft state changes).